Infosec from @rattis' point of view

scripts to decode base64 and hex

About a month ago, I added a couple shell scripts to my DFIR Github repository. Three of the four scripts are used at work daily in either a Linux terminal, or a Cygwin terminal. The fourth script is something I use to help with quarantined mail, and not really DFIR based.

b64Decode.sh and hexConvert.bash take command line arguments and reports back the result. For example:

example b64Decode.sh

1

2

3

~$b64Decode.sh4piiZXhjaXRpbmcgbmV3cw==

?exciting news

~$

It works well enough. Mainly I use it for base64 encoded subject lines or links in emails. The hex version does something similar, and used for the same reason. However since the beginning of 2018, I’ve been using it to deobfuscate shell code passed via SOAP API calls.

Last week I noticed that a coworker was using a website to do the deobfuscation. Which led three of us to talk about how we see the code. I was doing it via my shell scripts (really just echo $1 | decoder of choice). Another team member was doing the same thing in Python. The guy using the website said that he wanted to be able to paste the code to a file, click a button, and have another file with the output.

Which lead me to writing Python to do just that.

b64Decoder.py

b64Decoder.py

1

2

3

4

5

6

7

8

9

10

11

12

#! python3

import base64

baseFile=open('base64.txt','r')

decode=baseFile.read()

plainFile=open('b64_plain.txt','wb')

plainFile.write(base64.b64decode(decode))

baseFile.close()

plainFile.close()

It requires the base64.txt file in the same directory as the script, and outputs b64_plain.txt to the same directory.

The Github has a compile version for people that don’t have Python on their computers. Same requirement on the text file.

hexDecoder.py

hexDecoder.py

1

2

3

4

5

6

7

8

9

10

11

12

#! python3

import codecs

hexFile=open('hex.txt','r')

decode=hexFile.read()

plainFile=open('hex_plain.txt','wb')

plainFile.write(codecs.decode(decode,"hex"))

hexFile.close()

plainFile.close()

Yes they’re fairly simple, and not very pythonic, but the output is better than the shell scripts. Here is the same base64 sample above, the one with the question mark.